Tag Archives: version

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named “photo_high_re*U+202E*gnp.js” in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

“As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: “at the time of publication, the zero-day flaw has not since been observed in messenger’s products.”

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

“After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools,” the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as “all the exploitation cases that [the researchers] detected occurring in Russia,” and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.

WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.

According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.

If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.

Here’s what WordPress lead developer Dion Hulse explained about the bug:

“#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn’t have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3’s release—it was a few hours after release when discovered.”

The issue has since been fixed, but as reported, the fix will not be installed automatically.

Thus, WordPress administrators are being urged to update to the latest WordPress release manually to make sure they’ll be protected against future vulnerabilities.

To manually update their WordPress installations, admin users can sign into their WordPress website and visit Dashboard→Updates and then click “Update Now.”

After the update, make sure that your core WordPress version is 4.9.4.

However, not all websites being updated to the faulty update have reported seeing this bug. Some users have seen their website installed both updates (4.9.3 and 4.9.4) automatically.

Moreover, the company released two new maintenance updates this week, but none of them includes a security patch for a severe application-level DoS vulnerability disclosed last week that could allow anyone to take down most WordPress websites even with a single machine.

Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date.

If you own a Mac computer and run the latest version of Apple’s operating system, macOS High Sierra, then you need to be extra careful with your computer.

A serious, yet stupid vulnerability has been discovered in macOS High Sierra that allows untrusted users to quickly gain unfettered administrative (or root) control on your Mac without any password or security check, potentially leaving your data at risk.

Discovered by developer Lemi Orhan Ergin on Tuesday, the vulnerability only requires anyone with physical access to the target macOS machine to enter “root” into the username field, leave the password blank, and hit the Enter a few times—and Voila!

In simple words, the flaw allows an unauthorized user that gets physical access on a target computer to immediately gain the highest level of access to the computer, known as “root,” without actually typing any password.

Needless to say, this blindingly easy Mac exploit really scary stuff.

This vulnerability is similar to one Apple patched last month, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.

Here’s How to Login as Root User Without a Password

If you own a Mac and want to try this exploit, follow these steps from admin or guest account:

Open System Preferences on the machine.

Select Users & Groups.

Click the lock icon to make changes.

Enter “root” in the username field of a login window.

Move the cursor into the Password field and hit enter button there few times, leaving it blank.

With that (after a few tries in some cases) macOS High Sierra logs the unauthorized user in with root privileges, allowing the user to access your Mac as a “superuser” with permission to read and write to system files, including those in other macOS accounts as well.

This flaw can be exploited in several ways, depending on the setup of the targeted Mac. With full-disk encryption disabled, a rogue user can turn on a Mac that’s entirely powered down and log in as root by doing the same trick.

At Mac’s login screen, an untrusted user can also use the root trick to gain access to a Mac that has FileVault turned on to make unauthorized changes to the Mac System Preferences, like disabling FileVault.

All the untrusted user needs to do is click “Other” at the login screen, and then enter “root” again with no password.

However, it is impossible to exploit this vulnerability when a Mac machine is turned on, and the screen is protected with a password.

Ergin publicly contacted Apple Support to ask about the issue he discovered. Apple is reportedly working on a fix.

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Here’s How to Temporarily Fix the macOS High Sierra Bug

Fortunately, the developer suggested a temporary fix for this issue which is as easy as its exploit.

To fix the vulnerability, you need to enable the root user with a password. Heres how to do that:

Open System Preferences and Select Users & Groups

Click on the lock icon and Enter your administrator name and password there

Click on “Login Options” and select “Join” at the bottom of the screen

Select “Open Directory Utility”

Click on the lock icon to make changes and type your username and password there

Click “Edit” at the top of the menu bar

Select “Enable Root User” and set a password for the root user account

This password will prevent the account from being accessed with a blank password.

Just to be on the safer side, you can also disable Guest accounts on your Mac. for this, head on to System Preferences → Users & Groups, select Guest User after entering your admin password, and disable “Allow guests to log in to this computer.”

Apple yesterday rolled out a new version of its macOS operating system, dubbed High Sierra 10.13—a few hours before an ex-NSA hacker publicly disclosed the details of a critical vulnerability that affects High Sierra as well as all earlier versions of macOS.

Patrick Wardle, an ex-NSA hacker and now head of research at security firm Synack, found a critical zero-day vulnerability in macOS that could allow any installed application to steal usernames and plaintext passwords of online accounts stored in the Mac Keychain.

The macOS Keychain is a built-in password management system that helps Apple users securely store passwords for applications, servers, websites, cryptographic keys and credit card numbers—which can be accessed using only a user-defined master password.

Typically no application can access the contents of Keychain unless the user enters the master password.

“I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data …. including your plain text passwords. This is not something that is supposed to happen!,” Wardle said.

Wardle yesterday posted a proof-of-concept video of the exploit, demonstrating how the hack can be used to exfiltrate every single plaintext password from Keychain without requiring the user to enter the master password.

[embedded content]

The video shows how a malicious installed application, signed or unsigned, allowed an attacker to remotely steal all the passwords stored in the keychain and does not notify the user of the attack either.

“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval,” said Apple in a statement released today.

“We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”

Wardle claimed that he reported the issue to Apple last month, and made the public disclosure when the company planned to release High Sierra without fixing the vulnerability, which not only affects the newest version but also older versions of macOS.

Are you sure the version of WhatsApp, or Skype, or VLC Player installed on your system is legitimate?

Security researchers have discovered that legitimate downloads of several popular applications including WhatsApp, Skype, VLC Player and WinRAR have reportedly been compromised at the ISP level to distribute the infamous FinFisher spyware also known as FinSpy.

FinSpy is a highly secret surveillance tool that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies across the world.

The spyware has extensive spying capabilities on an infected computer, including secretly conducting live surveillance by turning ON its webcams and microphones, recording everything the victim types with a keylogger, intercepting Skype calls, and exfiltration of files.

In order to get into a target’s machine, FinFisher usually uses various attack vectors, including spear phishing, manual installation with physical access to the device, zero-day exploits, and watering hole attacks.

Your ISP may be Helping Hackers to Spy on You

However, a new report published today by ESET claimed that its researchers had discovered new surveillance campaigns utilizing new variants of FinFisher in seven countries, which comes bundled with a legitimate application.

But how is this happening? Attackers are targeting victims using a man-in-the-middle (MitM) attack, where the internet service providers (ISP) are most likely operating as the “middle man”—bundling legitimate software downloads with FinFisher.

“We have seen this vector being used in two of the countries in which ESET systems detected the latest FinFisher spyware (in the five remaining countries, the campaigns have relied on traditional infection vectors),” the researchers say.

Previously published documents by WikiLeaks also indicated that the FinFisher maker also offered a tool called “FinFly ISP,” which is supposed to be deployed on ISP level with capabilities necessary for performing such a MitM attack.

The popular applications targeted by the new variants of FinFisher include WhatsApp, Skype, VLC Player, Avast and WinRAR, and the ESET researchers said, “virtually any application could be misused in this way.”

Here’s How the Attack Works:

When the target users search for one of the affected applications on legitimate websites and click on its download link, their browser is served a modified URL, which redirects victims to a trojanized installation package hosted on the attacker’s server.

This results in the installation of a version of the intended legitimate application bundled with the surveillance tool.

“The redirection is achieved by the legitimate download link being replaced by a malicious one,” the researchers say. “The malicious link is delivered to the user’s browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL.”

This whole redirection process, according to researchers, is “invisible to the naked eye” and occurs without user’s knowledge.

FinFisher Utilizing a Whole Lot of New Tricks

The new tricks employed by the latest version of FinFisher kept it from being spotted by the researchers.

The researchers also note that the latest version of FinFisher received several technical improvements in terms of stealthiness, including the use of custom code virtualization to protect the majority of its components like the kernel-mode driver.

It also makes use of anti-disassembly tricks, and numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks, aiming at compromising end-to-end encryption software and known privacy tools.

One such secure messaging application, called Threema, was discovered by the researchers while they were analyzing the recent campaigns.

“FinFisher spyware masqueraded as an executable file named “Threema.” Such a file could be used to target privacy-concerned users, as the legitimate Threema application provides secure instant messaging with end-to-end encryption,” the researchers say.

“Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon.”

The master key for the original version of the Petya ransomware has been released by its creator, allowing Petya-infected victims to recover their encrypted files without paying any ransom money.

But wait, Petya is not NotPetya.

Do not confuse Petya ransomware with the latest destructive NotPetya ransomware (also known as ExPetr and Eternal Petya) attacks that wreaked havoc across the world last month, massively targeting multiple entities in Ukraine and parts of Europe.

The Petya ransomware has three variants that have infected many systems around the world, but now the author of the original malware, goes by the pseudonym Janus, made the master key available on Wednesday.

According to the security researchers, victims infected with previous variants of Petya ransomware, including Red Petya (first version) and Green Petya (second version) and early versions the GoldenEye ransomware can get their encrypted files back using the master key.

The authenticity of the master key has been verified by an independent Polish information security researcher known as Hasherezade.

“Similarly to the authors of TeslaCrypt, he released his private key, allowing all the victims of the previous Petya attacks, to get their files back,” Hasherezade posted her finding on MalwareBytes on Thursday.

“Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back.”

Although the first and second version of Petya was cracked last year, the private key released by Janus offers the fastest and most reliable way yet for Petya-infected victims to decrypt their files, especially locked with the uncrackable third version.

Meanwhile, Kaspersky Lab research analyst Anton Ivanov also analyzed the Janus’ master key and confirmed that the key unlocks all versions of Petya ransomware, including GoldenEye.

Janus created the GoldenEye ransomware in 2016 and sold the variants as a Ransomware-as-a-Service (RaaS) to other hackers, allowing anyone to launch ransomware attacks with just one click and encrypt systems and demand a ransom to unlock it.

If the victim pays, Janus gets a cut of the payment. But in December, he went silent.

However, according to the Petya author, his malware has been modified by another threat actor to create NotPetya that targeted computers of critical infrastructure and corporations in Ukraine as well as 64 other countries.

The NotPetya ransomware also makes use of the NSA’s leaked Windows hacking exploit EternalBlue and EternalRomance to rapidly spread within a network, and WMIC and PSEXEC tools to remotely execute malware on the machines.

Security experts even believe the real intention behind the recent ransomware outcry, which was believed to be bigger than the WannaCry ransomware, was to cause disruption, rather than just another ransomware attack.

According to researchers, NotPetya is in reality wiper malware that wipes systems outright, destroying all records from the targeted systems, and asking for ransom was just to divert world’s attention from a state-sponsored attack to a malware outbreak.

Lucky are not those infected with NotPetya, but the master key can help people who were attacked by previous variants of Petya and Goldeneye ransomware in the past.

Security researchers are using the key to build free decryptors for victims who still have crypto-locked hard drives.

The Server Message Block version 1 (SMBv1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — will be removed from the upcoming Windows 10 (1709) Redstone 3 Update.

The SMBv1 is one of the internet’s most ancient networking protocols that allows the operating systems and applications to read and write data to a system and a system to request services from a server.

The WannaCry ransomware menace shut down hospitals, telecommunication providers, and many businesses worldwide, infecting hundreds of thousands of unpatched Windows servers running SMBv1 in more than 150 countries within just 72 hours on 12th of May.

Although Microsoft patched the vulnerability in SMBv1 in March in MS17-010, the company meanwhile strongly advised users to disable the three decades old protocol completely.

And you should disable it completely.

I mean come on, since Windows Vista you have SMBv2 and later SMBv3, and you are continuing to allow the old and horribly insecure SMBv1 protocol to run on your network.

Strange! Because there’s no excuse to continue.

Ned Pyle, the principal program manager for Microsoft’s Windows Server High Availability and Storage division, has also published a blog post this month, enlisting products from other vendors that are still using SMBv1 and begged them to stop using it now.

Pyle also hinted that the company has been planning to remove SMBv1 from Windows 10 Fall Creators Update (Version 1709), which is expected to release in September/October 2017.

“SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is coming, folks,” Pyle wrote.

Microsoft has recently announced the beta release of Windows 10 “Creators Update,” also known as “Redstone 2” (Version 1703), which disables the SMB1 protocol by default, and after testing and getting feedback from the community, the company has decided to completely remove the protocol in the next stable version of the operating system.

A Microsoft representative has just confirmed this to Threatpost, saying “We can confirm that SMBv1 is being removed for Redstone 3 [codename for the Windows 10 Fall Creators Update].”

Meanwhile, the company has published a document, which describes registry settings, PowerShell commands as well as group policy settings to disable SMBv1 in your Windows environment manually.